Prisma Access Browser
Onboard Prisma Access Browser on the Strata Cloud Manager
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Onboard Prisma Access Browser on the Strata Cloud Manager
Learn how to onboard Prisma Access Secure Enterprise Browser (Prisma Access Browser) on the Strata Cloud Manager and integrate with Prisma Access.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
See the prerequisites before you begin this
task.
Complete the Pre-Onboarding Tasks
Before onboarding Prisma Access Browser, there are a couple tasks that you
must perform before you can proceed.
- Define the Cloud Identity Engine entities. This can be configured by using the Cloud Identity Engine that you selected during the activation process.
- You need the Authentication profile and the User groups that are part of
your onboarding process. These are configured in the Cloud Identity Engine.
For more information, refer to the Authentication profile and User groups.You can only have one Authentication Profile. If you use more than one Identity Provider (IdP), you can configure multiple IdPs per profile. This can be done with the Authentication Mode choice of Multiple when you configure the Authentication Profile.
Add IdP Configuration
You can use your current SAML IdP provider to manage a single set of login
credentials in your network. The IdP configuration is a component of the
Cloud Identity Engine, and you can manage it within that tool.
- In the Cloud Identity Engine, select Authentication Type.
- Click Add New Authentication Type. When you use the IdP provider’s information to populate your user groups, you need to make sure to correctly enter a valid email address. The UPN isn't sufficient.
- In the Set Up Authentication Type, click SAML 2.0 Set Up.
- To continue configuring your SAML Authenticator, refer to Configure a SAML 2.0 Authentication Type in the Cloud Identity Engine.
- (Optional) Use Google Workspace Integration.
Onboard the Prisma Access Browser
After you do the pre-onboarding steps, you can onboard the Prisma Access Browser on
the Strata Cloud Manager.
You need to activate and configure the Prisma Access Browser in the Strata Cloud Manager before you can add users. In general, this is a one-time
procedure that you only need to perform once after Activation, however you can
return to perform these tasks anytime you need to modify them.
There is a Wizard that you can use for this process, and you can modify
the global configuration at any time. The Wizard provides detailed instructions
on completing each step of the integration.
The controls that you see depend on your Prisma Access Browser license;
not all the Onboarding functionality in the Strata Cloud Manager is available
for all licenses.
From the Strata Cloud Manager, select WorkflowsPrisma Access SetupPrisma Access Browser.
Step 1 - Users
Define the user authentication method and onboard User groups.
- From the dropdown list, select the CIE profile that will be used for User Authentication.
- From the User groups dropdown list, select the User groups that will be able to access Prisma Access Browser.
- Next: Prisma Access Integration.
Step 2 - Prisma Access Integration
- Enable external connectivity to Prisma Access.
- Select Go to Explicit Proxy settings.
- This takes you to WorkflowsPrisma Access SetupExplicit Proxy .
- Enable the Prisma Access Browser.
- Done.
- Allow the Prisma Access Browser in the Prisma Access security
policy.
- Select Manage > Prisma Access > Security Policy.
- This takes you to ManagePrisma AccessSecurity Policy.
- Add a rule that allows web traffic in your security policy.
- Push configuration to accept the rule.
- Done.
- Create a service connection.
- Select Create a service connection.
- This takes you to WorkflowsPrisma Access SetupService Connections and Add Service Connection.
- Done.
- Next: Routing.
Step 3 - Routing
The Routing control allows you to manage the way that the Prisma Access Browser
handles network traffic. This feature sets up the default configuration for
Prisma Access Browser. If you need to adjust the granularity of the control
for a specific Rule, refer to Browser Customization Controls for traffic flows .
- Choose one of the following options:
- Only route private application traffic through Prisma Access.
- Route all traffic through Prisma Access.
- (Optional) Ensure that the Prisma Access Browser traffic flows in
an optimal manner when the browser detects it's running within the
internal network. This identification is based on establishing a
connection with a host that is only available inside the internal
network.
- Enter the FQDN to resolve.
- Enter the expected IP address.
- Next: Enforce SSO applications.
Step 4 - Enforce SSO Applications
It's important that the only way your users can authenticate on SSO-enabled
applications is by using the Prisma Access Browser. This will ensure that
external actors will have no access to your enterprise applications. To
select your IdP:
- In the Choose and configure your identity providers, select the
available IdP. The options are:
-
Okta
-
Microsoft Azure Active Directory
-
PingID
-
OneLogin
-
VMware workspace ONE Access
-
- When you configure your local settings, be sure to take note of the egress IP addresses.
- Next: Download and distribute.
Step 5 - Download and Distribute
You can also send your users the download link so that they can download
the Prisma Access Browser on their own. This is a single link for macOS and
Windows users only.
- Select from the available options:
-
Desktop:
-
macOS
-
Windows
-
-
Mobile:
-
iOS
-
Android
-
You can also send your users the download link so that they can download the Prisma Access Browser on their own. This is a single link for macOS and Windows users only.If you send your users the download link, remind them that they can only log in with the email that is configured in the IdP service. -
- Next: Browser Policy.
Step 6 - Browser Policy
- Select Browser Policy.
- This directs you to ManageConfigurationPrisma Access BrowserPolicyRules.
- Manage Prisma Access Browser Policy Rules.
Onboard New Users
The Onboarding workflow is a configurable series of windows displayed
when a new end user starts using the browser.
Based on the IT needs and requirements, you can select up to eight
individual pages that allow the end users to customize the browser with their
pictures and bookmarks, and to find out some basic information about the browser
– a sort of “Quick-Start” guide.
The Onboarding Wizard customization control configures the Onboarding
workflow. You can select which windows will be displayed in your network.
You configure this in ManageConfigurationPrisma Access BrowserPolicyProfiles when you create or edit a Browser
Customization profile and choose Onboarding
Wizard. For configuration details, see the Browser Customization
Controls for the Onboarding Wizard.